Legal claims defining the scope of protection, as filed with the USPTO.
1. A system, comprising: a processor configured to: receive a candidate malware potentially including one or more malicious elements; analyze the candidate malware using a virtual machine, including by: evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether the candidate malware is attempting to take an anti-virtual machine action; determine that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and in response to the determination, generate as output an alert that the candidate malware is malicious; and a memory coupled to the processor and configured to provide the processor with instructions.
2. The system of claim 1 wherein generating the alert includes generating a signature associated with the candidate malware that indicates that the candidate malware is malicious.
3. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a product identifier of an operating system.
4. The system of claim 1 wherein the processor is further configured to generate a random product identifier for use by the virtual machine.
5. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a computer name.
6. The system of claim 1 wherein the processor is further configured to generate a random computer name for use by the virtual machine.
7. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain an identifier of a hard drive.
8. The system of claim 1 wherein the processor is further configured to generate a random hard drive identifier for use by the virtual machine.
9. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a MAC address.
10. The system of claim 1 wherein the processor is further configured to generate a random MAC address for use by the virtual machine.
11. The system of claim 1 wherein the processor is further configured to determine whether the candidate malware includes at least one virtualized environment-specific opcode.
12. The system of claim 1 wherein the processor is further configured to apply one or more hotpatches.
13. The system of claim 1 wherein the anti-virtual machine action comprises an attempt to detect hotpatching.
14. The system of claim 1 wherein the anti-virtual machine action comprises an attempt to revert a hotpatch.
15. The system of claim 1 wherein the processor is further configured to confirm that a previously applied hotpatch is still in effect.
16. The system of claim 1 wherein the anti-virtual machine action comprises one or more sleep actions.
17. A method, comprising: receiving a candidate malware potentially including one or more malicious elements; analyzing the candidate malware using a virtual machine, including by: evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether the candidate malware is attempting to take an anti-virtual machine action; determining, that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and in response to the determination, generating as output an alert that the candidate malware is malicious.
18. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving a candidate malware potentially including one or more malicious elements; analyzing the candidate malware using a virtual machine, including by: evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether the candidate malware is attempting to take an anti-virtual machine action; determining, that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and in response to the determination, generating as output an alert that the candidate malware is malicious.
19. The method of claim 17 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a product identifier of an operating system.
20. The method of claim 17 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a computer name.
Unknown
August 11, 2015
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.